UserInfo Lookup for AccessToken with "AuthType auth-openidc"

[studersi]

We are in the process of setting up an endpoint that allows access using either a session Cookie or AccessToken using the AuthType auth-openidc according to https://github.com/OpenIDC/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect.

When accessing the endpoint with a cookie, we get all the OIDC claims we would expect to get from a UserInfo lookup. However, when accessing the endpoint with an AccessToken, we only get the OAuth2 claims, we would expect from token introspection, not the UserInfo.

Is there a way to also fetch UserInfo for requests authenticated with an AccessToken, similar to requests authenticated with a session cookie?

[zandbelt]

no, that is not possible and I would be hesitant to add something like that because it would further blur the line between OAuth 2.0 and OpenID Connect (though granted SPAs with the current implementation are already a mix, hence the separate mod_oauth2 development). I guess the way forward would be to pickup the access token in the application and make your own requests with it, or better, to add the claims you need to the access token introspection result.

[studersi]

I see, thank you for the explanation.

This does raise some follow-up questions with respects to the auth-openidc AuthType, however.

From what I understand, separating mod_oauth2 out of mod_auth_openidc into a separate module was intended to make the distinction between OAuth2 and OIDC clearer. Does that mean that AuthType auth-openidc is to be be avoided if possible since it blurs this distinction and is simply a remnant of the previous implementation where the two modules were not separated yet?

Would adding the necessary OIDC user info claims to the access token introspection result not blur the line in the same way? Or in other words, would needing to add OIDC user info claims to an OAuth2 introspection result be indicative of an underlying architectural problem?

Is it a standard approach to let the application look up the OIDC user info claims based on the access token where necessary or would that be more of a workaround (or would that fall outside the OIDC specification altogether)?

[zandbelt]

OpenID Connect (and hence the cookie consumed with AuthType openid-connect) deals with an authenticated user accessing the application by himself as himself, OAuth 2.0 Resource Server (and therefore the access token consumed with AuthType oauth20) deals with a client acting on behalf of the user in a delegated fashion; the two are semantically very different and thus the claims are inherently different and may or may not have overlap; AuthType auth-openidc muddies the waters by mixing the two on the same path, architecturally I'd rather see SPAs use the cookie only and have non-browser clients access different paths (but that horse seems to have left the barn in many deployments)